Skip to content

foomuuri

This section can be usually omitted as default values should be fine.

This section defines common options for Foomuuri. If really needed, it is usually better to override single value, not full section. Example:

foomuuri {
  # Change rpfilter's value, keep everything else as default
  rpfilter no
}

Full list of default values are:

foomuuri {
  log_rate "1/second burst 3"
  log_input yes
  log_output yes
  log_forward yes
  log_rpfilter yes
  log_invalid no
  log_smurfs no
  log_prefix "$(szone)-$(dzone) $(statement)"
  log_level "level info flags skuid"
  localhost_zone localhost
  dbus_zone public
  rpfilter yes
  flowtable no
  counter no
  set_size 65535
  recursion_limit 10000
  priority_offset 5
  dbus_firewalld no
  nft_bin nft
  try_reload_timeout 15
}

log_rate is the default logging rate per source IP. Default value is to log first three entries per source IP and then one additional entry per second. Rate specification is the same as in rate limit rule.

log_input ... log_smurfs defines default value for specific logging. Value can be:

  • yes to log it with log_rate
  • no to not log
  • "3/second burst 10" to log it with specific rate

log_prefix defines the default log prefix for logging.

log_level is the syslog level of logging. For possible values see rule specific version.

localhost_zone is the name of zone used for the computer running Foomuuri, similar to "localhost" in hostnames. See zone and zone-zone sections for more information.

dbus_zone is the name of your outgoing internet zone. This is used in D-Bus support.

rpfilter is to enable or disable reverse path filtering. Value can be:

  • yes to enable it to all interfaces
  • no to disable it
  • eth0 eth1 eth2 to enable it to specified interfaces eth0 eth1 eth2
  • -eth1 -eth2 to enable it to all other interfaces than eth1 eth2

flowtable is to enable Netfilter flowtable infrastructure for specified interfaces, for example flowtable eth0 eth1. It improves network forward performance for high speed interfaces. Optional hw_offload=yes keyword enables hardware offloading (make sure your interface supports hw-tc-offload). Value yes or negative notation does not work here.

counter is to add anonymous byte and packet counter to all rules. Value can be:

  • yes to add it to all rules
  • no to not add it
  • localhost-public public-localhost to add it to all rules in localhost-public and public-localhost sections

set_size is the size of rate limit set, log rate limit set and dynamic iplist set. This is the maximum amount of entries in the set in kernel. Default value 65535 is fine for normal host. For company firewall larger value is required, for example 262143 (equals to 2^18 - 1). Setting this value too high doesn't harm. If set is full, new entry can't be added. This doesn't matter for log rate limits, but for rate limits and dynamic iplists this means that the statement (usually accept for rate limit, drop for iplist) is skipped. See foomuuri ruleset list for content of your currently active sets.

recursion_limit is the internal limit to avoid macro and template expansion loop. Increase this value if you get false "Possible macro or template loop" error.

priority_offset is the chain priority offset for rules generated by Foomuuri. Tune this value if you have multiple software adding chains and want to process them in some particular order. For example, iptables uses offset 0 and firewalld uses 10. Lowest priority is processed first. So to process Foomuuri rules first, use value -5. To process them last, use 20.

dbus_firewalld is to enable or disable firewalld D-Bus emulation inside Foomuuri. NetworkManager can tell firewalld to attach and detach interfaces to zones via D-Bus call. This option enables Foomuuri to listen to firewalld D-Bus and do the same thing.

nft_bin is the name for nft binary. Full path can be specified if required.

try_reload_timeout is the timeout in seconds for foomuuri try-reload command.